Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase says that the Preparation Phase is the first step in the risk assessment process required before personal data is transferred or disclosed outside Saudi Arabia. It guides organizations on how to determine whether a risk assessment is required, and how to define the service or product, clarify the purpose of data processing, and map the full data lifecycle—including collection, storage, use, disclosure, and destruction.
The entity must analyze whether the service involves high-risk personal data processing scenarios as defined under Article 25(1) of the Implementing Regulation. Once the need for an assessment is confirmed, the organization must describe the service, clarify the purpose for processing, and analyze the data flow context across all processing phases (from collection to destruction).
First: Preparation Phase
This phase covers the required steps for conducting a risk assessment for data transfer or disclosure, including evaluating the need to assess potential risks and impacts of processing personal data when offering a service or product to the public. During this phase, entities should adhere to the following steps:
First: Preparation Phase (A)
Determine Whether the Assessment of Potential Risks and Impacts Is Required
This step involves providing a detailed description to determine whether an assessment of the potential risks and impacts of processing personal data is required when offering a product or service to the public. This assessment is based on the presence of any conditions outlined in Paragraph (1) of Article (25) of the Implementing Regulations, according to the following:
1. If the processing involves sensitive data.
2. In case of collecting, comparing, or linking two or more sets of personal data obtained from multiple sources.
3. If the controller’s activities involve processing personal data on a large scale or on a recurring basis for individuals who have partial or complete legal incapacity. This also applies to processing operations that require continuous monitoring of personal data subjects, the use of emerging technologies for processing personal data, or automated decision-making based on processing personal data.
4. Offering a product or service that is likely to pose a high risk to the privacy of the data subjects.
First: Preparation Phase (B)
Description of Product or Service:
This step is designed to provide a detailed description of the service or product
involving personal data processing. It helps determine whether the service or
product aligns with the entity’s activities and defines the purpose for which
personal data is collected.
First: Preparation Phase (C)
Identifying the Purpose
This step is designed to clearly and accurately define the purpose, ensuring it is
identifiable in relation to personal data processing activities in general, and
specifically those involving the transfer or disclosure of personal data to entities
outside the Kingdom.
First: Preparation Phase (D)
Identifying the Context of the Personal Data Processing
This step is designed to describe the context of personal data processing, covering all main phases, from collection and retention to use, disclosure, and destruction.
Each phase is described by identifying the personal data processing activities it involves, along with any additional elements relevant to each activity, as appropriate for the phase, as follows:
1. Collection Phase: All personal data collection activities should be identified, along with their associated elements, including:
A. Sources of Personal Data Collection: The sources of personal data collection should be identified, whether obtained directly from the data subjects or through third parties. If the source is a third party, the entity’s name must be specified.
B. Methods of Personal Data Collection: All methods of personal data collection, such as electronic forms, cookies, and any other possible methods, should be identified and documented.
2. Storage/Retention Phase: All processing activities related to the storage and retention of personal data, including those for operational, archival, or backup purposes, should be identified. The following elements provide a clear description of the activities involved in this phase.
A. Geographic Location of Storage/Retention: The exact geographical location of personal data storage or retention should be clearly identified, including the specific country where the data is stored.
B. Place of Storage/Retention: The place where the data is stored or retained should be identified, for example: storage in the public cloud, private cloud, entity’s headquarters, or other storage or retention locations.
C. Period of Personal Data Retention: The retention period for personal data should be clearly specified, including whether it is based on a statutory requirement mandating a specific duration or linked to the incomplete fulfillment of the purpose for which the personal data was collected or processed.
3. Usage Phase: All personal data processing activities, including remote access for any purpose, should be defined. Each activity must align with the purpose detailed in Paragraph (2) of this section.
4. Disclosure Phase: All processing activities related to the disclosure of personal data, along with the entities to which it is disclosed, whether within or outside the Kingdom, should be identified. This includes disclosures to third parties as part of subsequent contracts.
5. Destruction Phase: All processing activities related to the destruction of personal data should be defined, whether the destruction is due to the fulfillment of the purpose for which the data was collected or the end of the retention period. This includes specifying the methods used to notify the expiration of the retention period and the secure means employed for destroying personal data.
Explanation of Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase
Identify if required:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase says that entities must decide whether their data processing triggers the need for risk assessment based on Article 25(1).
What is being offered?
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase also says that the organization must describe the product or service involving personal data use.
Why is data processed?
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase says to define a clear, specific purpose for collecting and using the personal data.
Map the data flow:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase says to break down the full lifecycle of the personal data: collection, storage, use, disclosure, and destruction.
How data is collected:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase says that identify data sources, collection methods, and whether third parties are involved.
Where and how it’s stored:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase says to detail geographic location, storage type (cloud, HQ), and retention period.
What is done with data:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase also says to specify processing actions and ensure they align with the intended purpose.
Who gets access:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase says to list all parties (internal/external) receiving the data, including for contractual reasons.
Secure deletion method:
Risk Assessment Guideline for Transferring Personal Data Outside the Kingdom – First: Preparation Phase says to define how and when personal data is destroyed securely, once it’s no longer needed.
